|
|
| Next: If you thought your day was bad............. |
| Author |
Message |
ferasb
Joined: Feb 22, 2009
Posts: 20
|
 Posted: Sun May 03, 2009 1:27 am Post subject: Stuck At Desktop. |
|
|
Hi, I got this new problem on my PC where after I restart my computer, it gets stuck at the desktop and I have to open task manager to start the desktop. I feel that there is viruses/spyware causing this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:14 AM, on 5/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wtukd32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\DrWeb\spidernt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\1828573018.exe
C:\Program Files\DrWeb\DRWEBSCD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe
C:\WINDOWS\system32\dncyool64.sys
C:\Program Files\trend micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7070
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;localhost;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\sdrgfcvbf.dll - {c2ba40a1-74f3-42bd-f434-12345a2c8953} - C:\WINDOWS\system32\sdrgfcvbf.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [DrWebScheduler] C:\Program Files\DrWeb\DRWEBSCD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\1828573018.exe
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/...ctivex/
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/c...nt/wuwe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/c...nt/muwe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flash.7sultans.com/7sultans/FlashAX2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: edgztw c:\windows\system32\jezemimu.dll
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\sdrgfcvbf.dll
O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: sopidkc Service (sopidkc) - 5.232.121.233 - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\SpiderNT.exe
--
End of file - 9663 bytes |
|
| Back to top |
|
 |
greyknight17
Joined: Feb 03, 2003
Posts: 5651
Location: Brooklyn, NY
|
| Posted: Sun May 03, 2009 9:32 am Post subject: |
|
|
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html Double-click on mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\sdrgfcvbf.dll - {c2ba40a1-74f3-42bd-f434-12345a2c8953} - C:\WINDOWS\system32\sdrgfcvbf.dll
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\1828573018.exe
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: edgztw c:\windows\system32\jezemimu.dll
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\sdrgfcvbf.dll
O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: sopidkc Service (sopidkc) - 5.232.121.233 - C:\WINDOWS\system32\sopidkc.exe
Download the OTMoveIt3 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
| Code: |
:Processes
explorer
:Files
C:\DOCUME~1\Owner\LOCALS~1\Temp\1828573018.exe
C:\WINDOWS\dhcp
C:\WINDOWS\system32\config\SYSTEM~1\protect.dll
C:\WINDOWS\system32\dncyool64.sys
c:\windows\system32\jezemimu.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\sdrgfcvbf.dll
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\wtukd32.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
|
- Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
- Click the red MoveIt! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here. |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Sun May 03, 2009 10:15 am Post subject: |
|
|
| When I try updating MBAM, its saying "Update failed. Make sure you are connected to the Internet and your firewall is set to allow MBAM to access the internet." |
|
| Back to top |
|
|
greyknight17
Joined: Feb 03, 2003
Posts: 5651
Location: Brooklyn, NY
|
| Posted: Tue May 05, 2009 11:27 am Post subject: |
|
|
| Run MBAM as it is for now. Try updating it later one when you finish with the other remaining scans in the instructions. |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Tue May 05, 2009 2:48 pm Post subject: |
|
|
OK, so I did this, but I don't think anything was removed.
First, I ran MBAM and it asked to be restarted. I did that and when it came up, XP made my PC login to the Admin user (it never does that) and then it immediately logged off. I did this continually. Eventually after a few restarts, it came back to my original problem of freezing on the desktop.
So I don't think that it even deleted the things it needed to delete. I did run Hijackthis and when I selected everything you told me to select and ran another scan, the same things popped up to be selected for deletion.
Comofix didn't run because it says that my PC has a virus and that it isn't safe to run it. |
|
| Back to top |
|
|
greyknight17
Joined: Feb 03, 2003
Posts: 5651
Location: Brooklyn, NY
|
| Posted: Thu May 07, 2009 11:54 am Post subject: |
|
|
| Does ComboFix mention what the virus was? If it's virut, run the FixVirut tool here. Then try ComboFix again. |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Fri May 08, 2009 1:35 pm Post subject: |
|
|
Hi, I tried running this multiple times. It only runs in safe mode and then when it boots in regular mode, Combofix still doesnt run. I also ran it in safe mode and then when it asked to restart, I booted into safe mode again and it still didn't run. I even tried changing the name of Combofix to see if it would run, but no.
This is starting to anger me.  |
|
| Back to top |
|
|
greyknight17
Joined: Feb 03, 2003
Posts: 5651
Location: Brooklyn, NY
|
| Posted: Sat May 09, 2009 11:40 am Post subject: |
|
|
Were you able to do the HijackThis and OTMoveIt3 fixes? If so, post the logs for them...for HijackThis run a new scan.
I wonder if this is related to what we had at work. There is a nasty trojan out there that's been wreaking havoc lately. It affected our computers at work that didn't have the latest antivirus and Windows updates. I don't see any antivirus programs installed on your computer. I highly recommend installing AVG. It's free for personal use. Also update your Windows with all the critical updates available.
Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm
* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply. |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Sat May 09, 2009 2:03 pm Post subject: |
|
|
Here is the latest HJT log. Like I mentioned before, I picked "fix checked" to the files you mentioned to delete before and it acts as if its going to delete it, but it doesn't. As far as the anti-viruses, I did try to download AVG last night, but needless to say, its not letting me download it b/c of whatever is on my system. I am going to try to do a windows update now.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:21 PM, on 5/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
\?\globalroot\C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\trend micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\RunOnce: [OTMoveIt] C:\Documents and Settings\Owner\Desktop\OTMoveIt3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\ADMINI~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9300] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD744] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5718] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9921] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4998] command /c del "C:\WINDOWS\system32\ovfsthxjbabdqxy.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4442] cmd /c del "C:\WINDOWS\system32\ovfsthxjbabdqxy.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3872] command /c del "C:\WINDOWS\system32\ovfsthxltfqptbq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD280] cmd /c del "C:\WINDOWS\system32\ovfsthxltfqptbq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2195] command /c del "C:\WINDOWS\system32\ovfsthxmmkiscil.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9596] cmd /c del "C:\WINDOWS\system32\ovfsthxmmkiscil.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9778] command /c del "C:\WINDOWS\system32\wsnpoem\video.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1077] cmd /c del "C:\WINDOWS\system32\wsnpoem\video.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6265] command /c del "C:\WINDOWS\system32\wsnpoem\audio.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD160] cmd /c del "C:\WINDOWS\system32\wsnpoem\audio.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4649] command /c del "C:\WINDOWS\system32\ovfsthxjbabdqxy.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9115] cmd /c del "C:\WINDOWS\system32\ovfsthxjbabdqxy.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4707] command /c del "C:\WINDOWS\system32\ovfsthxltfqptbq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD849] cmd /c del "C:\WINDOWS\system32\ovfsthxltfqptbq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2303] command /c del "C:\WINDOWS\system32\ovfsthxmmkiscil.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1658] cmd /c del "C:\WINDOWS\system32\ovfsthxmmkiscil.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2974783308.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\dccs627y7f.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\dccs627y7f.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - S-1-5-19 Startup: ChkDisk.dll (User 'LOCAL SERVICE')
O4 - S-1-5-19 Startup: ChkDisk.lnk = ? (User 'LOCAL SERVICE')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/...ctivex/
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/c...nt/wuwe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/c...nt/muwe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flash.7sultans.com/7sultans/FlashAX2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe (file missing)
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\SpiderNT.exe
--
End of file - 11988 bytes
========== PROCESSES ==========
Unable to kill process: explorer
========== FILES ==========
File/Folder C:\DOCUME~1\Owner\LOCALS~1\Temp\1828573018.exe not found.
C:\WINDOWS\dhcp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\config\SYSTEM~1\protect.dll
C:\WINDOWS\system32\config\SYSTEM~1\protect.dll NOT unregistered.
C:\WINDOWS\system32\config\SYSTEM~1\protect.dll moved successfully.
C:\WINDOWS\system32\dncyool64.sys moved successfully.
File/Folder c:\windows\system32\jezemimu.dll not found.
File move failed. C:\WINDOWS\system32\ntos.exe scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\sdrgfcvbf.dll not found.
C:\WINDOWS\system32\sopidkc.exe moved successfully.
C:\WINDOWS\system32\wtukd32.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_Lh4RR7NKtoyCW3crzyFE scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\IadHide4.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\nsrbgxod.bak scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mpj38297.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta21828.dll scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05092009_123547 |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Sat May 09, 2009 3:28 pm Post subject: |
|
|
| BTW, I did attempt to update windows, but every other website is working except the WIndows one. |
|
| Back to top |
|
|
farchord
Joined: May 08, 2009
Posts: 2
|
| Posted: Sat May 09, 2009 3:36 pm Post subject: |
|
|
Try this. Boot in safe mode. Start, run. Type msconfig.
Go in Services, check the 'Hide all Microsoft Services' and disable the rest.
Go in the Startup tab, and disable everything there too.
Hopefully it leaves you a bit of room to fix it in normal mode. But you seem to be truffled with spyware. |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Sat May 09, 2009 5:51 pm Post subject: |
|
|
| I dont have any network connections now. |
|
| Back to top |
|
|
farchord
Joined: May 08, 2009
Posts: 2
|
| Posted: Sat May 09, 2009 7:36 pm Post subject: |
|
|
| then you might require some kind of network troubleshooting. A spyware might have attached a module to the winsock or to the network system that, if a certain program or service isnt running, its going to just block all the internet (Like some firewalls) |
|
| Back to top |
|
|
greyknight17
Joined: Feb 03, 2003
Posts: 5651
Location: Brooklyn, NY
|
| Posted: Sun May 10, 2009 12:35 pm Post subject: |
|
|
ferasb, I assume the network was fine before you disabled all those services? Please enable them back.
See if you can run ComboFix again. Rename it to something like ferasb.com instead of the .exe extension. |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Mon May 11, 2009 5:01 pm Post subject: |
|
|
Hi, guys.
First off, thanks for all the help. I appreciate it. 
I was finally able to run Combofix. I have the log as well as a fresh hijackthis below. However, I still am not able to run the internet and I am getting a bunch of errors when I run my desktop.
ComboFix 09-05-11.01 - Owner 05/11/2009 15:16:42.7 - NTFSx86
Running from: F:\ferasb.com
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\protect.dll
C:\Documents and Settings\Administrator\reader_s.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ChkDisk.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\protect.dll
C:\Documents and Settings\NetworkService\Application Data\wsnpoem
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\NetworkService\protect.dll
C:\Documents and Settings\Owner\protect.dll
C:\Documents and Settings\Owner\reader_s.exe
C:\Program Files\ThunMail
C:\Program Files\ThunMail\testabd.dll
C:\Program Files\ThunMail\testabd.exe
C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\Install.txt
C:\WINDOWS\ld08.exe
C:\WINDOWS\mqcd.dbt
C:\WINDOWS\pp06.exe
C:\WINDOWS\services.exe
C:\WINDOWS\st_1241996538.exe
C:\WINDOWS\system32\199638
C:\WINDOWS\system32\199638\199638.dll
C:\WINDOWS\system32\6to4v32.dll
C:\WINDOWS\system32\796525
C:\WINDOWS\system32\796525\796525.dll
C:\WINDOWS\system32\ak1.exe
C:\WINDOWS\system32\ashl.nq
C:\WINDOWS\system32\autochk.dll
C:\WINDOWS\system32\bapuzotu.dll
C:\WINDOWS\system32\bawpmu.dll
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\config\systemprofile\protect.dll
C:\WINDOWS\system32\dolman.zt
C:\WINDOWS\system32\dpcxool64.sys
C:\WINDOWS\system32\drivers\protect.sys
C:\WINDOWS\system32\fairy.an
C:\WINDOWS\system32\ferryl.cbv
C:\WINDOWS\system32\fhpatch.dll
C:\WINDOWS\system32\fimahafu.dll
C:\WINDOWS\system32\fiplock.dll
C:\WINDOWS\system32\galavobi.dll
C:\WINDOWS\system32\hfoafa.dll
C:\WINDOWS\system32\huyahife.dll
C:\WINDOWS\system32\Iasv32.dll
C:\WINDOWS\system32\inqby.sr
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\system32\iphy.dll
C:\WINDOWS\system32\kasiyebo.dll
C:\WINDOWS\system32\kpmzty.dll
C:\WINDOWS\system32\lmn_setup.exe
C:\WINDOWS\system32\loader49.exe
C:\WINDOWS\system32\lsffqz.dll
C:\WINDOWS\system32\miziwiva.dll
C:\WINDOWS\system32\mizoluyi.dll
C:\WINDOWS\system32\nanehutu.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\pipiwuhi.dll
C:\WINDOWS\system32\piyuyigi.dll
C:\WINDOWS\system32\pufidihu.dll
C:\WINDOWS\system32\reader_s.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\SYS32DLL.exe
C:\WINDOWS\system32\tcpd.dll
C:\WINDOWS\system32\tgxytk.dll
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\winglsetup.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\yxseqr.dll
C:\WINDOWS\system32\zavomoru.dll
C:\xcrashdump.dat
----- BITS: Possible infected sites -----
hxxp://82.98.235.205
C:\WINDOWS\system32\userinit.exe . . . is infected!!
Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6to4
-------\Legacy_at1394
-------\Legacy_DHCPSRV
-------\Legacy_PROTECT
-------\Legacy_sopidkc
-------\Service_6to4
-------\Service_DhcpSrv
-------\Service_protect
-------\Service_sopidkc
((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.
2009-05-11 20:07:06 . 2007-06-13 10:23:07 1053696 ----a-w C:\WINDOWS\system32\userinit.exe
2009-05-11 19:45:25 . 2009-05-11 20:16:52 0 d-----w C:\WINDOWS\dhcp
2009-05-09 19:16:43 . 2009-05-09 19:16:43 38912 ----a-w C:\WINDOWS\st_1241915067.exe
2009-05-09 01:16:16 . 2009-05-09 01:16:16 2 ---h--w C:\WINDOWS\t55ft2692f44.dat
2009-05-08 17:42:02 . 2009-05-08 17:42:02 0 d-----w C:\Documents and Settings\Administrator\Application Data\Vso
2009-05-07 18:05:07 . 2009-05-07 18:05:07 202 ----a-w C:\43214354.bat
2009-05-05 18:17:01 . 2009-05-11 20:06:28 0 d-----w C:\ComboFix
2009-05-05 18:10:42 . 2009-05-05 18:10:42 0 d-----w C:\_OTMoveIt
2009-05-04 08:25:34 . 2009-05-04 08:25:34 17376 ----a-w C:\WINDOWS\system32\drivers\qlg8b0f.sys
2009-05-04 04:21:11 . 2009-05-04 04:22:24 0 d-----w C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
2009-05-03 14:07:32 . 2009-04-06 20:32:46 15504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2009-05-03 14:07:30 . 2009-04-06 20:32:54 38496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-05-03 14:07:29 . 2009-05-03 14:07:34 0 d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-05-03 04:26:08 . 2009-05-03 04:26:08 0 d-----w C:\Documents and Settings\Administrator\Local Settings\Application Data\Help
2009-05-03 04:00:37 . 2009-05-03 04:11:07 0 d-----w C:\Documents and Settings\Owner\DoctorWeb
2009-05-03 04:00:22 . 2009-05-03 04:00:22 9728 ----atw C:\WINDOWS\system32\DRWEBSP.DLL
2009-05-03 04:00:19 . 2005-10-17 09:33:00 5856 ----a-w C:\WINDOWS\system32\drivers\drwebnet.sys
2009-05-03 04:00:19 . 2009-05-03 04:08:48 0 d-----w C:\Program Files\DrWeb
2009-05-01 20:21:24 . 2009-05-01 20:21:24 17376 ----a-w C:\WINDOWS\system32\drivers\etodb16.sys
2009-04-21 21:55:15 . 2009-03-19 21:32:48 23400 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2009-04-21 21:55:15 . 2008-04-17 17:12:54 107368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2009-04-21 21:54:55 . 2009-04-21 21:54:55 0 d-----w C:\Program Files\iPod
2009-04-21 21:54:50 . 2009-04-21 21:55:11 0 d-----w C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 21:54:50 . 2009-04-21 21:55:11 0 d-----w C:\Program Files\iTunes
2009-04-21 21:54:32 . 2009-04-21 21:54:32 0 d-----w C:\Program Files\Bonjour
2009-04-21 21:53:47 . 2009-04-21 21:54:16 0 d-----w C:\Program Files\QuickTime
2009-04-19 21:11:02 . 2009-05-08 04:53:27 0 d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2009-04-19 21:10:14 . 2009-05-08 04:54:34 0 d-----w C:\Program Files\LimeWire
2009-04-19 04:48:58 . 2009-04-26 04:41:30 15688 ----a-w C:\WINDOWS\system32\lsdelete.exe
2009-04-19 04:41:25 . 2009-04-26 04:41:20 64160 ----a-w C:\WINDOWS\system32\drivers\Lbd.sys
2009-04-19 04:40:17 . 2009-05-05 19:07:47 0 dc-h--w C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-19 04:40:06 . 2009-04-19 04:40:06 0 d-----w C:\Program Files\Lavasoft
2009-04-19 03:37:15 . 2009-04-19 03:37:15 0 d-----w C:\Documents and Settings\LocalService\Local Settings\Application Data\{AD90174D-6BEE-43F7-A9A9-F829F90C0BD5}
2009-04-18 20:43:08 . 2009-04-18 20:43:08 155 ----a-w C:\WINDOWS\system32\SelfDel.bat
2009-04-18 20:28:14 . 2009-05-08 04:10:57 0 ----a-w C:\WINDOWS\system32\drivers\4e723735.sys
2009-04-18 20:10:35 . 2009-05-08 17:31:39 0 d-----w C:\WINDOWS\system32\3361
2009-04-18 20:08:30 . 2009-05-08 04:15:46 0 ----a-w C:\WINDOWS\system32\drivers\8b063a28.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-12 03:17:51 . 2003-08-16 02:54:06 176640 ----a-w C:\WINDOWS\system32\tpsaxyd.exe
2009-05-11 20:18:47 . 2004-01-26 08:10:58 577536 ----a-w C:\WINDOWS\system32\user32.dll
2009-05-11 20:16:32 . 2004-01-26 08:10:09 182912 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2009-05-11 19:56:32 . 2009-05-11 19:56:31 61440 ----a-w C:\WINDOWS\system32\2C.tmp
2009-05-11 19:56:29 . 2009-05-11 19:56:28 84 ----a-w C:\WINDOWS\system32\29.tmp
2009-05-11 19:44:44 . 2007-06-29 22:42:55 2153 --sha-w C:\WINDOWS\system32\mmf.sys
2009-05-09 21:47:44 . 2009-05-09 21:47:42 61440 ----a-w C:\WINDOWS\system32\2A.tmp
2009-05-09 21:47:41 . 2009-05-09 21:47:39 46080 ----a-w C:\WINDOWS\system32\28.tmp
2009-05-09 21:47:39 . 2009-05-09 21:47:38 120 ----a-w C:\WINDOWS\system32\27.tmp
2009-05-09 20:46:47 . 2009-05-09 20:46:47 1 ----a-w C:\WINDOWS\system32\26.tmp
2009-05-09 20:46:47 . 2009-05-09 20:46:44 56832 ----a-w C:\WINDOWS\system32\25.tmp
2009-05-09 20:46:44 . 2009-05-09 20:46:43 84 ----a-w C:\WINDOWS\system32\23.tmp
2009-05-09 20:43:40 . 2009-05-09 20:43:40 1 ----a-w C:\WINDOWS\system32\20.tmp
2009-05-09 20:43:40 . 2009-05-09 20:43:37 56832 ----a-w C:\WINDOWS\system32\1D.tmp
2009-05-09 20:43:37 . 2009-05-09 20:43:36 84 ----a-w C:\WINDOWS\system32\1B.tmp
2009-05-09 19:18:23 . 2009-05-09 19:18:22 1 ----a-w C:\WINDOWS\system32\18.tmp
2009-05-09 19:18:22 . 2009-05-09 19:18:22 56832 ----a-w C:\WINDOWS\system32\17.tmp
2009-05-09 19:18:21 . 2009-05-09 19:18:20 84 ----a-w C:\WINDOWS\system32\14.tmp
2009-05-09 19:00:15 . 2009-05-09 19:00:14 1 ----a-w C:\WINDOWS\system32\12.tmp
2009-05-09 19:00:14 . 2009-05-09 19:00:12 56832 ----a-w C:\WINDOWS\system32\11.tmp
2009-05-09 19:00:12 . 2009-05-09 19:00:11 84 ----a-w C:\WINDOWS\system32\D.tmp
2009-05-09 18:31:46 . 2007-06-26 03:51:57 90112 ----a-w C:\WINDOWS\DUMP5004.tmp
2009-05-09 17:57:40 . 2009-05-09 17:57:40 61440 ----a-w C:\WINDOWS\system32\C.tmp
2009-05-09 17:57:31 . 2009-05-09 17:57:28 120 ----a-w C:\WINDOWS\system32\7.tmp
2009-05-08 23:32:40 . 2009-05-08 23:32:40 61440 ----a-w C:\WINDOWS\system32\5.tmp
2009-05-08 23:32:39 . 2009-05-08 23:32:38 84 ----a-w C:\WINDOWS\system32\2.tmp
2009-05-08 22:57:11 . 2009-05-08 22:57:10 61440 ----a-w C:\WINDOWS\system32\6.tmp
2009-05-08 22:57:10 . 2009-05-08 22:57:08 84 ----a-w C:\WINDOWS\system32\4.tmp
2009-05-08 22:06:39 . 2009-05-08 22:06:38 84 ----a-w C:\WINDOWS\system32\24.tmp
2009-05-08 17:37:40 . 2009-05-08 17:37:38 84 ----a-w C:\WINDOWS\system32\22.tmp
2009-05-08 17:34:04 . 2009-05-08 17:34:04 0 ----a-w C:\WINDOWS\system32\1F.tmp
2009-05-08 06:39:22 . 2009-05-08 06:39:20 120 ----a-w C:\WINDOWS\system32\1E.tmp
2009-05-08 06:10:03 . 2009-05-08 06:10:03 0 ----a-w C:\WINDOWS\system32\21.tmp
2009-05-08 06:09:56 . 2009-05-08 06:09:55 120 ----a-w C:\WINDOWS\system32\1C.tmp
2009-05-08 04:47:27 . 2009-05-08 04:47:26 120 ----a-w C:\WINDOWS\system32\16.tmp
2009-05-08 04:35:55 . 2009-05-08 04:35:54 120 ----a-w C:\WINDOWS\system32\15.tmp
2009-05-08 04:26:57 . 2009-05-08 04:26:56 120 ----a-w C:\WINDOWS\system32\13.tmp
2009-05-08 03:56:47 . 2009-05-08 03:56:45 120 ----a-w C:\WINDOWS\system32\10.tmp
2009-05-08 03:48:38 . 2009-05-08 03:48:37 120 ----a-w C:\WINDOWS\system32\E.tmp
2009-05-05 17:55:45 . 2009-05-05 17:55:45 0 ----a-w C:\74.tmp
2009-05-05 17:55:45 . 2009-05-05 17:55:45 0 ----a-w C:\73.tmp
2009-05-05 17:55:45 . 2009-05-05 17:55:45 0 ----a-w C:\72.tmp
2009-05-05 17:55:44 . 2009-05-05 17:55:44 0 ----a-w C:\70.tmp
2009-05-05 17:55:44 . 2009-05-05 17:55:44 0 ----a-w C:\6F.tmp
2009-05-05 17:55:42 . 2009-05-05 17:55:42 0 ----a-w C:\6E.tmp
2009-05-05 17:55:42 . 2009-05-05 17:55:42 0 ----a-w C:\6D.tmp
2009-05-05 17:55:39 . 2009-05-05 17:55:39 0 ----a-w C:\6B.tmp
2009-05-05 17:55:38 . 2009-05-05 17:55:36 51712 ----a-w C:\68.tmp
2009-05-05 17:53:51 . 2009-05-05 17:53:51 0 ----a-w C:\WINDOWS\system32\1A.tmp
2009-05-05 17:53:51 . 2009-05-05 17:53:49 160 ----a-w C:\WINDOWS\system32\19.tmp
2009-05-05 17:30:31 . 2009-05-05 17:30:31 0 ----a-w C:\WINDOWS\system32\F.tmp
2009-05-05 17:12:29 . 2009-05-05 17:12:22 2701 ----a-w C:\WINDOWS\system32\B.tmp
2009-05-05 17:12:22 . 2009-05-05 17:12:19 160 ----a-w C:\WINDOWS\system32\A.tmp
2009-05-05 14:07:29 . 2008-02-10 05:48:42 0 d-----w C:\Program Files\Coupons
2009-05-04 08:25:17 . 2009-05-04 08:25:14 124 ----a-w C:\WINDOWS\system32\17C.tmp
2009-05-03 14:02:17 . 2007-06-29 03:01:35 80048 ----a-w C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 04:59:23 . 2009-05-03 04:59:23 0 ----a-w C:\WINDOWS\system32\79.tmp
2009-05-03 04:59:23 . 2009-05-03 04:59:21 124 ----a-w C:\WINDOWS\system32\78.tmp
2009-05-03 04:59:01 . 2009-05-03 04:59:01 0 ----a-w C:\76.tmp
2009-05-03 04:59:00 . 2009-05-03 04:58:59 38 ----a-w C:\71.tmp
2009-05-03 04:58:58 . 2009-05-03 04:58:58 0 ----a-w C:\6C.tmp
2009-05-03 04:58:58 . 2009-05-03 04:58:58 0 ----a-w C:\6A.tmp
2009-05-03 04:58:57 . 2009-05-03 04:58:57 0 ----a-w C:\69.tmp
2009-05-03 04:58:56 . 2009-05-03 04:58:56 0 ----a-w C:\67.tmp
2009-05-03 04:58:56 . 2009-05-03 04:58:56 0 ----a-w C:\63.tmp
2009-05-03 04:58:55 . 2009-05-03 04:58:55 0 ----a-w C:\61.tmp
2009-05-03 04:58:55 . 2009-05-03 04:58:55 0 ----a-w C:\5F.tmp
2009-05-03 04:58:54 . 2009-05-03 04:58:54 0 ----a-w C:\5E.tmp
2009-05-03 04:58:54 . 2009-05-03 04:58:54 0 ----a-w C:\5C.tmp
2009-05-03 04:58:53 . 2009-05-03 04:58:53 0 ----a-w C:\5B.tmp
2009-05-03 04:58:51 . 2009-05-03 04:58:51 0 ----a-w C:\4C.tmp
2009-05-03 04:58:50 . 2009-05-03 04:58:47 54784 ----a-w C:\37.tmp
2009-05-03 04:19:50 . 2009-05-03 04:19:50 0 ----a-w C:\45.tmp
2009-05-03 04:00:18 . 2004-01-26 12:22:26 0 d--h--w C:\Program Files\InstallShield Installation Information
2009-05-03 03:59:44 . 2004-01-26 12:22:00 0 d-----w C:\Program Files\Common Files\InstallShield
2009-04-21 21:53:32 . 2008-02-09 16:18:04 0 d-----w C:\Program Files\Common Files\Apple
2009-04-21 04:06:26 . 2004-01-26 12:45:25 0 d-----w C:\Program Files\Quicken
2009-04-19 21:35:02 . 2009-04-19 21:35:01 38 ----a-w C:\29.tmp
2009-04-19 21:34:47 . 2009-04-19 21:34:47 0 ----a-w C:\26.tmp
2009-04-19 21:34:46 . 2009-04-19 21:34:46 0 ----a-w C:\24.tmp
2009-04-19 21:34:44 . 2009-04-19 21:34:44 0 ----a-w C:\21.tmp
2009-04-19 21:34:43 . 2009-04-19 21:34:43 0 ----a-w C:\20.tmp
2009-04-19 21:34:38 . 2009-04-19 21:34:38 52736 ----a-w C:\1E.tmp
2009-04-19 05:03:29 . 2009-04-19 05:03:29 38 ----a-w C:\1D.tmp
2009-04-19 05:03:28 . 2009-04-19 05:03:28 0 ----a-w C:\1C.tmp
2009-04-19 05:03:27 . 2009-04-19 05:03:27 0 ----a-w C:\1B.tmp
2009-04-19 05:03:26 . 2009-04-19 05:03:26 0 ----a-w C:\1A.tmp
2009-04-19 05:03:26 . 2009-04-19 05:03:26 0 ----a-w C:\19.tmp
2009-04-19 05:03:25 . 2009-04-19 05:03:25 0 ----a-w C:\18.tmp
2009-04-19 05:03:25 . 2009-04-19 05:03:25 0 ----a-w C:\17.tmp
2009-04-19 05:03:24 . 2009-04-19 05:03:24 0 ----a-w C:\16.tmp
2009-04-19 05:03:24 . 2009-04-19 05:03:20 38 ----a-w C:\14.tmp
2009-04-19 05:03:24 . 2009-04-19 05:03:17 52736 ----a-w C:\12.tmp
2009-04-19 05:03:23 . 2009-04-19 05:03:23 0 ----a-w C:\15.tmp
2009-04-19 03:52:21 . 2007-08-18 21:57:07 0 d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-04-19 01:33:45 . 2008-12-21 15:57:31 0 d-----w C:\Program Files\Spybot - Search & Destroy
2009-04-19 00:43:55 . 2008-03-21 05:16:08 0 d-----w C:\Program Files\Windows Live
2009-04-19 00:40:03 . 2004-01-26 12:31:44 0 d-----w C:\Program Files\MUSICMATCH
2009-04-19 00:39:25 . 2007-07-01 22:50:22 0 d-----w C:\Program Files\MP3 Rocket
2009-04-19 00:35:37 . 2004-01-26 13:02:33 0 d-----w C:\Program Files\Microsoft Plus! Digital Media Edition
2007-12-11 08:14:48 . 2007-12-11 08:14:23 24 --sh--w C:\WINDOWS\S8257B3A3.tmp
2007-08-15 05:41:57 . 2007-08-15 05:41:57 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
Infected C:\WINDOWS\system32\user32.dll hex repaired
------- Sigcheck -------
[-] 2003-08-16 01:51:22 33280 35A177008737E76AA26CBB64A2321024 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[-] 2004-08-04 05:56:58 34816 79CF58AF6562876C3CEB2D5D22A90305 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12:36 34816 30E35121A7E216CB9DA2ECF3BB69DD7F C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[-] 2004-08-04 05:56:58 34816 D5F85E30AD6FED6631EB5B0F2AE5E213 C:\WINDOWS\system32\svchost.exe
[-] 2009-05-07 20:24:28 86016 650664754A0EFBED9B2BBE387C4216A2 C:\WINDOWS\system32\3361\SVCHOST.EXE
[-] 2007-06-13 10:23:07 1053696 4FDB390F182FF1E9E29E9356A3C1BBFA C:\WINDOWS\explorer.exe
[-] 2007-06-13 11:26:03 1053696 584610146393A8FD6F72B882238A803A C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2003-08-16 08:26:42 1024512 A36579BE06A1DE91E17C925B077FCABB C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 05:56:50 1052672 9E3F4D76B8AE890B6226E818D8174033 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[-] 2004-08-04 05:56:50 1052672 9115DD70A035A3874AA7D87EA786AF6A C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12:19 1054208 193F47A70DBCC8738BCDB8D5498F9A0D C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[-] 2007-06-13 10:23:07 1053696 456B2807DB12C4D22A9A42D815E58623 C:\WINDOWS\system32\dllcache\explorer.exe
[-] 2003-08-16 01:54:00 33792 21FB55F07F38D98FE9EA1D79DBD4CAB5 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
[-] 2004-08-04 05:56:50 35840 16FB6AC0FDDF7457865CA15BD0814CF0 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12:16 35840 FD97384E60D719144F0271FDF1E80661 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
[-] 2004-08-04 05:56:50 35840 7B34BA7FF345EB10B97B158D8BADEFF6 C:\WINDOWS\system32\ctfmon.exe
[-] 2004-08-04 05:56:50 35840 C65C5AC58BB6F02D1A055EE390A322BD C:\WINDOWS\system32\dllcache\ctfmon.exe
[-] 2005-06-11 00:17:13 78336 76B3B9C476084146ED28D148190FA07D C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2003-08-16 02:40:30 71680 53A36FD99636D7AA85C11F25BFA6D2CD C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
[-] 2004-08-04 05:56:58 78336 55DF4CDEF528BB1A2DF4F9097F3A667F C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
[-] 2004-08-04 05:56:58 78336 5A28789CCCE33432E149DDB6F95489F2 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12:36 78336 671CF6466E8E66CB31E50F368A744E7A C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[-] 2005-06-10 23:53:32 78336 3C92AC16A4919F13C56F1457427BA5AC C:\WINDOWS\system32\spoolsv.exe
[-] 2003-08-16 01:53:16 42496 EFF8E29AF80BCC907064FBB45E211224 C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[-] 2004-08-04 05:56:58 45056 43C53FFC311BD03CF21C0225533A15EE C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12:38 46592 5328420BF9305C2F7CF659E214F56A77 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2007-06-13 10:23:07 1053696 4FDB390F182FF1E9E29E9356A3C1BBFA C:\WINDOWS\system32\userinit.exe
[-] 2004-08-04 05:56:58 45056 B595697167E87151C18370FF8E01359B C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56:50 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 05:56:54 178688]
"DrWebScheduler"="C:\Program Files\DrWeb\DRWEBSCD.EXE" [2007-02-28 21:06:56 148992]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYS32DLL"="SYS32DLL" [X]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56:50 35840]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\explorer.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ChkDisk.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk
backup=C:\WINDOWS\pss\ChkDisk.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^desktop.ini]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
backup=C:\WINDOWS\pss\desktop.iniStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MP3 Rocket (silent).lnk]
[HKLM\~\startupfolder\c:^documents and settings^owner^start menu^programs^startup^onenote 2007 screen clipper and launcher.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ZuneNetworkSvc"=3 (0x3)
"ZuneWlanCfgSvc"=3 (0x3)
"ZuneBusEnum"=2 (0x2)
"DhcpSrv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"spidernt"=2 (0x2)
"sopidkc"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LicCtrlService"=2 (0x2)
"lavasoft ad-aware service"=2 (0x2)
"ipod service"=3 (0x3)
"Imapi Helper"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"bonjour service"=2 (0x2)
"BITS"=3 (0x3)
"apple mobile device"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WudfSvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netlogon"=3 (0x3)
"Net Driver HPZ12"=2 (0x2)
"msncache"=2 (0x2)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"Fax"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"6to4"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe"=
"C:\\Program Files\\MagicDisc\\MagicDisc.exe"=
"C:\\WINDOWS\\system32\\wscntfy.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2379:UDP"= 2379:UDP:Windows Media Format SDK (iexplore.exe)
"2378:UDP"= 2378:UDP:Windows Media Format SDK (iexplore.exe)
"7070:TCP"= 7070:TCP:nfra
R1 4e723735;4e723735;C:\WINDOWS\System32\drivers\4e723735.sys [2009-05-08 04:10:57 0]
R1 8b063a28;8b063a28;C:\WINDOWS\System32\drivers\8b063a28.sys [2009-05-08 04:15:46 0]
R1 qlg8b0f;qlg8b0f;C:\WINDOWS\System32\drivers\qlg8b0f.sys [2009-05-04 08:25:34 17376]
R2 spider;SpIDer FS Monitor for Windows NT;C:\PROGRA~1\DrWeb\spider.sys [2006-10-23 19:22:06 310992]
R2 StudioPro;StudioPro webcam;C:\WINDOWS\system32\DRIVERS\StudioPro.sys [2007-01-06 03:18:00 120320]
R3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys [2007-04-23 01:27:48 38784]
R3 pcm1394;pcm1394;C:\WINDOWS\system32\pcm1394.sys [2004-08-04 05:56:44 2304]
R3 vitra;vitra;C:\WINDOWS\System32\drivers\vitra.sys [x]
R4 lavasoft ad-aware service;lavasoft ad-aware service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-26 04:41:14 953168]
R4 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2007-06-29 22:42:54 23040]
R4 msncache;msncache;C:\WINDOWS\system32\svchost.exe [2004-08-04 05:56:58 34816]
R4 spidernt;SpIDer Guard for Windows NT;C:\PROGRA~1\DrWeb\SpiderNT.exe [2006-05-02 18:07:04 143360]
S0 lbd;lbd;C:\WINDOWS\system32\DRIVERS\Lbd.sys [2009-04-26 04:41:20 64160]
S1 drwebnet;SpIDer Guard boot hook driver for Windows NT;C:\WINDOWS\system32\drivers\drwebnet.sys [2005-10-17 09:33:00 5856]
S1 etodb16;etodb16;C:\WINDOWS\System32\drivers\etodb16.sys [2009-05-01 20:21:24 17376]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys [2005-03-30 16:22:36 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys [2005-03-30 16:22:36 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys [2005-03-30 16:22:38 9088]
--- Other Services/Drivers In Memory ---
*Deregistered* - AFD
*Deregistered* - agp440
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - drwebnet
*Deregistered* - ERSvc
*Deregistered* - etodb16
*Deregistered* - Fastfat
*Deregistered* - fasttx2k
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - isapnp
*Deregistered* - KSecDD
*Deregistered* - lbd
*Deregistered* - mcdbus
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - nv_agp
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - pcouffin
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - qlg8b0f
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SCDEmu
*Deregistered* - SISAGP
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - viaagp1
*Deregistered* - VolSnap
*Deregistered* - Wanarp
*Deregistered* - Wdf01000
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - zumbus
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
msncache
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b38ebaf-711f-11dd-982a-000ea696fa77}]
\Shell\AutoRun\command - I:\UNSECAPP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5f0d475-0094-11de-995b-000ea696fa77}]
\Shell\AutoRun\command - F:\UNINSTALL.EXE
.
Contents of the 'Scheduled Tasks' folder
2009-05-05 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06:56 . 2009-04-26 04:41:17]
2009-05-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34:12 . 2008-07-30 17:34:12]
.
- - - - ORPHANS REMOVED - - - -
BHO-{65768B48-B004-4B26-9BAC-A3BAC39643D1} - C:\WINDOWS\system32\199638\199638.dll
BHO-{E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll
HKU-Default-Run-autochk - C:\WINDOWS\system32\config\SYSTEM~1\protect.dll
HKU-Default-Run-Diagnostic Manager - C:\WINDOWS\TEMP\2974783308.exe
HKU-Default-Run-uidenhiufgsduiazghs - C:\WINDOWS\TEMP\dccs627y7f.exe
HKU-Default-Run-reader_s - C:\Documents and Settings\Owner\reader_s.exe
HKU-Default-Run-svc - c:\program Files\ThunMail\testabd.exe
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
SafeBoot-Wdf01000.sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
LSP: %SystemRoot%\system32\DRWEBSP.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://flash.7sultans.com/7sultans/FlashAX2.cab
FF - ProfilePath - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
HIJACK THIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:40 PM, on 5/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DrWeb\DRWEBSCD.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\DrWeb\spidernt.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\reader_s.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>;localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: 199638 helper - {65768B48-B004-4B26-9BAC-A3BAC39643D1} - C:\WINDOWS\system32\199638\199638.dll (file missing)
O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll (file missing)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [vttimer] VTTimer.exe
O4 - HKLM\..\Run: [tkbellexe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [spidernt] C:\PROGRA~1\DrWeb\spidernt.exe /agent
O4 - HKLM\..\Run: [spidermail] "C:\Program Files\DrWeb\spiderml.exe"
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tomtomhome.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\1368566012.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2974783308.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\dccs627y7f.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - S-1-5-19 Startup: ChkDisk.dll (User 'LOCAL SERVICE')
O4 - S-1-5-19 Startup: ChkDisk.lnk = ? (User 'LOCAL SERVICE')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/...ctivex/
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/c...nt/wuwe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/c...nt/muwe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://flash.7sultans.com/7sultans/FlashAX2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
O23 - Service: Apple Mobile Device (apple mobile device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service (bonjour service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service (ipod service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\SpiderNT.exe
--
End of file - 11628 bytes |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Mon May 11, 2009 5:04 pm Post subject: |
|
|
C:\Program Files\DrWeb\DRWEBSCD.EXE
C:\PROGRA~1\DrWeb\spidernt.exe
These are the two files that I believe are causing my internet to not run. I installed the Dr. Web file a few weeks back hoping to help my system, but it has done anything but that. It isn't uninstalling via control panel. |
|
| Back to top |
|
|
greyknight17
Joined: Feb 03, 2003
Posts: 5651
Location: Brooklyn, NY
|
| Posted: Tue May 12, 2009 12:27 pm Post subject: |
|
|
Download this uninstaller to see if it can remove Dr. Web.
Make sure you run ComboFix on your desktop instead of your USB flash drive.
Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.
If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
O2 - BHO: 199638 helper - {65768B48-B004-4B26-9BAC-A3BAC39643D1} - C:\WINDOWS\system32\199638\199638.dll (file missing)
O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll (file missing)
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld08.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp06.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Owner\LOCALS~1\Temp\1368566012.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2974783308.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\dccs627y7f.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - S-1-5-19 Startup: ChkDisk.dll (User 'LOCAL SERVICE')
O4 - S-1-5-19 Startup: ChkDisk.lnk = ? (User 'LOCAL SERVICE')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.lnk = ?
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
| Quote: |
Driver::
4e723735
8b063a28
qlg8b0f
vitra
etodb16
File::
C:\12.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\1B.tmp
C:\1C.tmp
C:\1D.tmp
C:\1E.tmp
C:\20.tmp
C:\21.tmp
C:\24.tmp
C:\26.tmp
C:\29.tmp
C:\37.tmp
C:\43214354.bat
C:\45.tmp
C:\4C.tmp
C:\5B.tmp
C:\5C.tmp
C:\5E.tmp
C:\5F.tmp
C:\61.tmp
C:\63.tmp
C:\67.tmp
C:\68.tmp
C:\69.tmp
C:\6A.tmp
C:\6B.tmp
C:\6C.tmp
C:\6D.tmp
C:\6E.tmp
C:\6F.tmp
C:\70.tmp
C:\71.tmp
C:\72.tmp
C:\73.tmp
C:\74.tmp
C:\76.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\1368566012.exe
C:\Documents and Settings\Owner\reader_s.exe
C:\WINDOWS\DUMP5004.tmp
C:\windows\ld08.exe
C:\windows\pp06.exe
C:\WINDOWS\S8257B3A3.tmp
C:\WINDOWS\services.exe
C:\WINDOWS\st_1241915067.exe
C:\WINDOWS\system32\10.tmp
C:\WINDOWS\system32\11.tmp
C:\WINDOWS\system32\12.tmp
C:\WINDOWS\system32\13.tmp
C:\WINDOWS\system32\14.tmp
C:\WINDOWS\system32\15.tmp
C:\WINDOWS\system32\16.tmp
C:\WINDOWS\system32\17.tmp
C:\WINDOWS\system32\17C.tmp
C:\WINDOWS\system32\18.tmp
C:\WINDOWS\system32\19.tmp
C:\WINDOWS\system32\1A.tmp
C:\WINDOWS\system32\1B.tmp
C:\WINDOWS\system32\1C.tmp
C:\WINDOWS\system32\1D.tmp
C:\WINDOWS\system32\1E.tmp
C:\WINDOWS\system32\1F.tmp
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\system32\21.tmp
C:\WINDOWS\system32\22.tmp
C:\WINDOWS\system32\23.tmp
C:\WINDOWS\system32\24.tmp
C:\WINDOWS\system32\25.tmp
C:\WINDOWS\system32\26.tmp
C:\WINDOWS\system32\27.tmp
C:\WINDOWS\system32\28.tmp
C:\WINDOWS\system32\29.tmp
C:\WINDOWS\system32\2A.tmp
C:\WINDOWS\system32\2C.tmp
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\7.tmp
C:\WINDOWS\system32\78.tmp
C:\WINDOWS\system32\79.tmp
C:\WINDOWS\system32\A.tmp
C:\WINDOWS\system32\autochk.dll
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\C.tmp
C:\WINDOWS\system32\config\SYSTEM~1\protect.dll
C:\WINDOWS\system32\D.tmp
C:\WINDOWS\system32\drivers\4e723735.sys
C:\WINDOWS\system32\drivers\8b063a28.sys
C:\WINDOWS\system32\drivers\etodb16.sys
C:\WINDOWS\system32\drivers\qlg8b0f.sys
C:\WINDOWS\system32\E.tmp
C:\WINDOWS\system32\F.tmp
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\tpsaxyd.exe
C:\WINDOWS\t55ft2692f44.dat
C:\WINDOWS\TEMP\2974783308.exe
C:\WINDOWS\TEMP\dccs627y7f.exe
Folder::
C:\WINDOWS\dhcp
C:\WINDOWS\system32\3361
c:\program Files\ThunMail\
C:\WINDOWS\system32\199638\
C:\WINDOWS\system32\796525\
FCopy::
C:\WINDOWS\ServicePackFiles\i386\userinit.exe | C:\WINDOWS\system32\userinit.exe
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYS32DLL"=-
|
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not click on combofix's window while it's running. That may cause it to stall. |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Tue May 12, 2009 2:51 pm Post subject: |
|
|
ComboFix 09-05-12.02 - Owner 05/12/2009 13:42.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.154 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ferasb.com
Command switches used :: c:\docume~1\Owner\Desktop\CFScript.txt
AV: Doctor Web Anti-Virus *On-access scanning disabled* (Outdated)
FILE ::
C:\12.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\1B.tmp
C:\1C.tmp
C:\1D.tmp
C:\1E.tmp
C:\20.tmp
C:\21.tmp
C:\24.tmp
C:\26.tmp
C:\29.tmp
C:\37.tmp
C:\43214354.bat
C:\45.tmp
C:\4C.tmp
C:\5B.tmp
C:\5C.tmp
C:\5E.tmp
C:\5F.tmp
C:\61.tmp
C:\63.tmp
C:\67.tmp
C:\68.tmp
C:\69.tmp
C:\6A.tmp
C:\6B.tmp
C:\6C.tmp
C:\6D.tmp
C:\6E.tmp
C:\6F.tmp
C:\70.tmp
C:\71.tmp
C:\72.tmp
C:\73.tmp
C:\74.tmp
C:\76.tmp
c:\docume~1\Owner\LOCALS~1\Temp\1368566012.exe
c:\documents and settings\Owner\reader_s.exe
c:\windows\DUMP5004.tmp
c:\windows\ld08.exe
c:\windows\pp06.exe
c:\windows\S8257B3A3.tmp
c:\windows\services.exe
c:\windows\st_1241915067.exe
c:\windows\system32\10.tmp
c:\windows\system32\11.tmp
c:\windows\system32\12.tmp
c:\windows\system32\13.tmp
c:\windows\system32\14.tmp
c:\windows\system32\15.tmp
c:\windows\system32\16.tmp
c:\windows\system32\17.tmp
c:\windows\system32\17C.tmp
c:\windows\system32\18.tmp
c:\windows\system32\19.tmp
c:\windows\system32\1A.tmp
c:\windows\system32\1B.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1E.tmp
c:\windows\system32\1F.tmp
c:\windows\system32\2.tmp
c:\windows\system32\20.tmp
c:\windows\system32\21.tmp
c:\windows\system32\22.tmp
c:\windows\system32\23.tmp
c:\windows\system32\24.tmp
c:\windows\system32\25.tmp
c:\windows\system32\26.tmp
c:\windows\system32\27.tmp
c:\windows\system32\28.tmp
c:\windows\system32\29.tmp
c:\windows\system32\2A.tmp
c:\windows\system32\2C.tmp
c:\windows\system32\4.tmp
c:\windows\system32\5.tmp
c:\windows\system32\6.tmp
c:\windows\system32\7.tmp
c:\windows\system32\78.tmp
c:\windows\system32\79.tmp
c:\windows\system32\A.tmp
c:\windows\system32\autochk.dll
c:\windows\system32\B.tmp
c:\windows\system32\C.tmp
c:\windows\system32\config\SYSTEM~1\protect.dll
c:\windows\system32\D.tmp
c:\windows\system32\drivers\4e723735.sys
c:\windows\system32\drivers\8b063a28.sys
c:\windows\system32\drivers\etodb16.sys
c:\windows\system32\drivers\qlg8b0f.sys
c:\windows\system32\E.tmp
c:\windows\system32\F.tmp
c:\windows\System32\reader_s.exe
c:\windows\system32\tpsaxyd.exe
c:\windows\t55ft2692f44.dat
c:\windows\TEMP\2974783308.exe
c:\windows\TEMP\dccs627y7f.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\12.tmp
C:\14.tmp
C:\15.tmp
C:\16.tmp
C:\17.tmp
C:\18.tmp
C:\19.tmp
C:\1A.tmp
C:\1B.tmp
C:\1C.tmp
C:\1D.tmp
C:\1E.tmp
C:\20.tmp
C:\21.tmp
C:\24.tmp
C:\26.tmp
C:\29.tmp
C:\37.tmp
C:\43214354.bat
C:\45.tmp
C:\4C.tmp
C:\5B.tmp
C:\5C.tmp
C:\5E.tmp
C:\5F.tmp
C:\61.tmp
C:\63.tmp
C:\67.tmp
C:\68.tmp
C:\69.tmp
C:\6A.tmp
C:\6B.tmp
C:\6C.tmp
C:\6D.tmp
C:\6E.tmp
C:\6F.tmp
C:\70.tmp
C:\71.tmp
C:\72.tmp
C:\73.tmp
C:\74.tmp
C:\76.tmp
c:\documents and settings\LocalService\Application Data\wsnpoem
c:\documents and settings\LocalService\Application Data\wsnpoem\audio.dll
c:\windows\dhcp
c:\windows\DUMP5004.tmp
c:\windows\S8257B3A3.tmp
c:\windows\st_1241915067.exe
c:\windows\system32\10.tmp
c:\windows\system32\11.tmp
c:\windows\system32\12.tmp
c:\windows\system32\13.tmp
c:\windows\system32\14.tmp
c:\windows\system32\15.tmp
c:\windows\system32\16.tmp
c:\windows\system32\17.tmp
c:\windows\system32\17C.tmp
c:\windows\system32\18.tmp
c:\windows\system32\19.tmp
c:\windows\system32\1A.tmp
c:\windows\system32\1B.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1E.tmp
c:\windows\system32\1F.tmp
c:\windows\system32\2.tmp
c:\windows\system32\20.tmp
c:\windows\system32\21.tmp
c:\windows\system32\22.tmp
c:\windows\system32\23.tmp
c:\windows\system32\24.tmp
c:\windows\system32\25.tmp
c:\windows\system32\26.tmp
c:\windows\system32\27.tmp
c:\windows\system32\28.tmp
c:\windows\system32\29.tmp
c:\windows\system32\3361
c:\windows\system32\3361\a
c:\windows\system32\3361\mlog
c:\windows\system32\3361\SVCHOST.EXE
c:\windows\system32\4.tmp
c:\windows\system32\5.tmp
c:\windows\system32\6.tmp
c:\windows\system32\7.tmp
c:\windows\system32\78.tmp
c:\windows\system32\79.tmp
c:\windows\system32\A.tmp
c:\windows\system32\B.tmp
c:\windows\system32\D.tmp
c:\windows\system32\E.tmp
c:\windows\system32\F.tmp
c:\windows\system32\tpsaxyd.exe
c:\windows\system32\userinit.exe . . . is infected!!
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ETODB16
-------\Legacy_qlg8b0f
-------\Legacy_vitra
-------\Service_4e723735
-------\Service_8b063a28
-------\Service_etodb16
-------\Service_qlg8b0f
-------\Service_vitra
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.
2009-05-12 17:40 . 2009-05-12 17:40 -------- d--h--w c:\windows\PIF
2009-05-12 17:20 . 2009-05-12 17:20 -------- d-----w c:\program files\VS Revo Group
2009-05-11 21:43 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-11 21:43 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-11 21:43 . 2009-05-11 21:43 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-11 21:13 . 2009-05-11 21:13 -------- d-----w c:\documents and settings\LocalService\DoctorWeb
2009-05-11 20:07 . 2004-08-04 05:56 45056 ----a-w c:\windows\system32\userinit.exe
2009-05-08 17:42 . 2009-05-08 17:42 -------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2009-05-05 18:17 . 2009-05-11 20:06 -------- d-----w C:\ComboFix
2009-05-05 18:10 . 2009-05-05 18:10 -------- d-----w C:\_OTMoveIt
2009-05-04 04:21 . 2009-05-04 04:22 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-03 04:26 . 2009-05-03 04:26 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-05-03 04:00 . 2009-05-03 04:11 -------- d-----w c:\documents and settings\Owner\DoctorWeb
2009-05-03 04:00 . 2009-05-03 04:00 9728 ----atw c:\windows\system32\DRWEBSP.DLL
2009-05-03 04:00 . 2005-10-17 09:33 5856 ----a-w c:\windows\system32\drivers\drwebnet.sys
2009-05-03 04:00 . 2009-05-03 04:08 -------- d-----w c:\program files\DrWeb
2009-04-21 21:55 . 2009-03-19 21:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-21 21:55 . 2008-04-17 17:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-21 21:54 . 2009-04-21 21:54 -------- d-----w c:\program files\iPod
2009-04-21 21:54 . 2009-04-21 21:55 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 21:54 . 2009-04-21 21:55 -------- d-----w c:\program files\iTunes
2009-04-21 21:54 . 2009-04-21 21:54 -------- d-----w c:\program files\Bonjour
2009-04-21 21:53 . 2009-04-21 21:54 -------- d-----w c:\program files\QuickTime
2009-04-19 21:11 . 2009-05-08 04:53 -------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-04-19 21:10 . 2009-05-08 04:54 -------- d-----w c:\program files\LimeWire
2009-04-19 04:48 . 2009-04-26 04:41 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-19 04:41 . 2009-04-26 04:41 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-19 04:40 . 2009-05-05 19:07 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-19 04:40 . 2009-04-19 04:40 -------- d-----w c:\program files\Lavasoft
2009-04-19 03:37 . 2009-04-19 03:37 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\{AD90174D-6BEE-43F7-A9A9-F829F90C0BD5}
2009-04-18 20:43 . 2009-04-18 20:43 155 ----a-w c:\windows\system32\SelfDel.bat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-12 18:05 . 2007-06-29 22:42 2153 --sha-w c:\windows\system32\mmf.sys
2009-05-12 17:46 . 2004-01-26 08:10 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-11 21:41 . 2009-05-11 21:41 84 ----a-w c:\windows\system32\2E.tmp
2009-05-11 21:28 . 2009-05-11 21:28 84 ----a-w c:\windows\system32\2B.tmp
2009-05-11 20:50 . 2009-05-11 20:50 84 ----a-w c:\windows\system32\8.tmp
2009-05-11 20:45 . 2009-05-11 20:45 84 ----a-w c:\windows\system32\3.tmp
2009-05-11 20:18 . 2004-01-26 08:10 577536 ----a-w c:\windows\system32\user32.dll
2009-05-03 14:02 . 2007-06-29 03:01 80048 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\44.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\43.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\42.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\41.tmp
2009-05-03 04:19 . 2009-05-03 04:19 54784 ----a-w C:\38.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\40.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\3F.tmp
2009-05-03 04:19 . 2009-05-03 04:19 38 ----a-w C:\3C.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\3E.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\3D.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\3B.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\3A.tmp
2009-05-03 04:19 . 2009-05-03 04:19 0 ----a-w C:\39.tmp
2009-05-03 04:00 . 2004-01-26 12:22 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-03 03:59 . 2004-01-26 12:22 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-21 21:53 . 2008-02-09 16:18 -------- d-----w c:\program files\Common Files\Apple
2009-04-21 04:06 . 2004-01-26 12:45 -------- d-----w c:\program files\Quicken
2009-04-19 03:52 . 2007-08-18 21:57 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-19 01:33 . 2008-12-21 15:57 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-19 00:43 . 2008-03-21 05:16 -------- d-----w c:\program files\Windows Live
2009-04-19 00:40 . 2004-01-26 12:31 -------- d-----w c:\program files\MUSICMATCH
2009-04-19 00:39 . 2007-07-01 22:50 -------- d-----w c:\program files\MP3 Rocket
2009-04-19 00:35 . 2004-01-26 13:02 -------- d-----w c:\program files\Microsoft Plus! Digital Media Edition
2009-04-19 00:26 . 2007-08-17 05:25 -------- d-----w c:\program files\DVDFab
2009-04-19 00:08 . 2007-07-18 21:37 -------- d-----w c:\program files\Incomplete
2009-04-14 09:47 . 2009-04-03 20:55 16 ----a-w c:\windows\Rquparejucowoz.bin
2009-04-04 01:45 . 2008-02-18 05:44 -------- d-----w c:\program files\BitTorrent
2009-04-04 01:17 . 2009-04-04 01:07 -------- d-----w c:\program files\VSO
2009-04-03 23:10 . 2009-04-03 23:10 -------- d-----w c:\program files\Xilisoft
2009-03-28 19:49 . 2009-03-28 19:49 36352 ----a-w C:\ocqkmoc.exe
2009-03-27 02:29 . 1601-01-01 00:12 84736 --sha-w c:\windows\system32\yezumoyu.exe
2009-03-23 17:06 . 2007-06-26 03:58 -------- d-----w c:\program files\Yahoo!
2007-07-07 08:43 . 2007-08-18 23:12 245760 ----a-w c:\program files\Uninstall Ask Toolbar.dll
2007-08-15 05:41 . 2007-08-15 05:41 0 --sha-w c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( SnapShot RemoveThis @2009-05-11_20.28.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-12 05:03 . 2009-05-12 16:23 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009051220090513\index.dat
+ 2009-05-11 20:46 . 2009-05-12 04:48 98304 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009051120090512\index.dat
+ 2009-04-19 05:10 . 2009-05-12 17:24 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-04-19 05:10 . 2009-05-10 02:45 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2004-01-26 09:31 . 2009-05-11 20:08 65536 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-01-26 09:31 . 2009-05-12 18:45 65536 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2003-08-16 02:54 . 2003-08-16 02:54 247296 c:\windows\system32\wtukd32.exe
+ 2004-01-26 09:31 . 2009-05-12 18:45 606208 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-01-26 09:31 . 2009-05-12 18:45 557056 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 178688]
"reader_s"="c:\windows\System32\reader_s.exe" [2009-05-12 60417]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 35840]
"reader_s"="c:\documents and settings\Owner\reader_s.exe" [2009-05-12 39937]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MP3 Rocket (silent).lnk]
[HKLM\~\startupfolder\c:^documents and settings^owner^start menu^programs^startup^onenote 2007 screen clipper and launcher.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DhcpSrv"=2 (0x2)
"sopidkc"=2 (0x2)
"6to4"=2 (0x2)
"spidernt"=2 (0x2)
"ZuneNetworkSvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LicCtrlService"=2 (0x2)
"lavasoft ad-aware service"=2 (0x2)
"ipod service"=3 (0x3)
"Imapi Helper"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"bonjour service"=2 (0x2)
"apple mobile device"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe"=
"c:\\Program Files\\MagicDisc\\MagicDisc.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2379:UDP"= 2379:UDP:Windows Media Format SDK (iexplore.exe)
"2378:UDP"= 2378:UDP:Windows Media Format SDK (iexplore.exe)
"7070:TCP"= 7070:TCP:nfra
R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/18/2009 11:41 PM 64160]
R0 protect;protect;c:\windows\system32\drivers\protect.sys [5/12/2009 1:49 PM 18944]
R1 drwebnet;SpIDer Guard boot hook driver for Windows NT;c:\windows\system32\drivers\drwebnet.sys [5/2/2009 11:00 PM 5856]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [3/30/2005 11:22 AM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [3/30/2005 11:22 AM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [3/30/2005 11:22 AM 9088]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2/4/2004 1:38 PM 34816]
S2 spider;SpIDer FS Monitor for Windows NT;c:\progra~1\DrWeb\spider.sys [5/2/2009 11:00 PM 310992]
S2 StudioPro;StudioPro webcam;c:\windows\system32\drivers\StudioPro.sys [2/21/2009 8:15 PM 120320]
S3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2/21/2009 8:15 PM 38784]
S3 pcm1394;pcm1394;c:\windows\system32\pcm1394.sys [2/4/2004 2:12 PM 2304]
S4 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 953168]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [6/29/2007 5:42 PM 23040]
S4 spidernt;SpIDer Guard for Windows NT;c:\progra~1\DrWeb\SpiderNT.exe [5/2/2009 11:00 PM 143360]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - PROTECT
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
msncache
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Start.exe
.
Contents of the 'Scheduled Tasks' folder
2009-05-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:41]
2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>;localhost
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
LSP: %SystemRoot%\system32\DRWEBSP.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://flash.7sultans.com/7sultans/FlashAX2.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6iuts3lk.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-12 13:46
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\4.tmp 120 bytes
c:\windows\system32\5.tmp 0 bytes
c:\windows\system32\7.tmp 61440 bytes executable
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\EN]
@DACL=(02 0000)
"OnLineServicesDirName"="Online Services"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\FR]
@DACL=(02 0000)
"OnLineServicesDirName"="Services en ligne"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\MX]
@DACL=(02 0000)
"OnLineServicesDirName"="Servicios en línea"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\NL]
@DACL=(02 0000)
"OnLineServicesDirName"="Online Services"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\NW]
@DACL=(02 0000)
"OnLineServicesDirName"="Online tjenster"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\SP]
@DACL=(02 0000)
"OnLineServicesDirName"="Servicios en línea"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\SW]
@DACL=(02 0000)
"OnLineServicesDirName"="Online tjänster"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\UK]
@DACL=(02 0000)
"OnLineServicesDirName"="Online services"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\US]
@DACL=(02 0000)
"OnLineServicesDirName"="Online Services"
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\41648584838810032804EB999F69C6FE]
"1"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
1a,c8,0e,30,46,9e,93,51,a6
"2"=hex:81,b6,84,a6,a4,97,e8,c6
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,75,39,61,9a,5d,51,30,
60,c5,fc,07,26,24,52,38,79,5d,d9,5e,0a,7f,da,b4,eb
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\B405A2EBBFCE91A4C13BDEA4B89DC260]
"1"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
1a,40,6d,c3,6d,0e,a9,b1,96
"2"=hex:82,9d,b7,04,75,a2,e0,2a
"3"=hex:aa,b1,4e,3d,77,6c,3e,37,bf,de,e6,3c,50,f6,c9,6a,9e,86,72,80,5a,75,90,
46,82,76,57,d2,d1,6c,10,36,7e,8c,48,d6,a4,52,22,5d,38,6f,a0,66,76,f7,ed,b6,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
1a,1a,36,0f,9a,30,e3,f4,57,69,39,43,7c,33,dd,6d,ac,de,22,0d,fb,e8,a3,20,e8,\
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,08,21,24,20,f1,96,6a,
7a,cd,13,31,a6,7d,dc,f4,81,0d,1c,44,d3,0b,59,cb,af
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:cb,7d,79,19,c0,6b,8c,2b,cb,83,9e,94,bc,1a,a1,2d,0c,0a,fc,bb,2c,df,98,
91,93,17,2a,1f,8a,b4,47,45,68,55,ba,f5,38,f7,f1,a2,5c,6d,f3,c2,84,6b,87,e7,\
"13"=hex:d0,92,f9,72,da,58,ab,d3,1a,ed,e7,08,0e,4d,60,0b,e2,da,1b,12,e4,d5,65,
25
"14"=hex:f8,37,82,69,f0,e8,bd,13
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:bd,24,0d,e8,60,40,26,3c,a2,00,95,7b,f5,33,7d,1c
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:63,60,f4,63,9a,13,b6,e2,9c,ee,44,78,a9,00,2e,51,2d,d3,20,d4,29,22,8a,
12,f5,e5,d7,6d,b6,e8,45,e9,98,25,c1,79,8b,c9,14,56,de,98,00,55,4e,94,be,70,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(784)
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\DRWEBSP.DLL
- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\DRWEBSP.DLL
- - - - - - - > 'explorer.exe'(22048)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\7.tmp
.
**************************************************************************
.
Completion time: 2009-05-12 13:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-12 18:53
ComboFix2.txt 2009-05-12 17:57
ComboFix3.txt 2009-02-28 00:59
ComboFix4.txt 2009-02-27 23:37
ComboFix5.txt 2009-05-12 18:39
Pre-Run: 120,090,644,480 bytes free
Post-Run: 120,068,182,016 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=,1,2,3,4
581 --- E O F --- 2009-03-06 13:14 |
|
| Back to top |
|
|
ferasb
Joined: Feb 22, 2009
Posts: 20
|
| Posted: Tue May 12, 2009 10:15 pm Post subject: |
|
|
| So, in an update... my computer has been heavily infected by the virut virus; virtually all my exe files have been infected. Is there any way to remove this and restore my exe files without reformating my hard drive? I tried running the semantic file you provided, but that didn't help at all. |
|
| Back to top |
|
|
greyknight17
Joined: Feb 03, 2003
Posts: 5651
Location: Brooklyn, NY
|
| Posted: Wed May 13, 2009 11:55 am Post subject: |
|
|
Were you able to uninstall Dr.WebCureIt? I will provide manual removal instructions below since I still see traces of it.
This is not an easy one to remove especially if it's not caught early enough. A format is a viable solution but if you still want to continue at it, we can proceed.
You can use the Kaspersky Virus Removal Tool to see if it helps.
Go to your C: and C:\Windows\system32\ folders. You should see a bunch of .tmp files (usually with filenames that are one or two characters long). Delete all of them if possible. Then proceed with the below:
Download and install SUPERAntiSpyware at http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
- Run SUPERAntiSpyware and click the Check for Updates button.
- Once the update has finished, click the Scan your Computer button.
- Click on Perform Complete Scan and then click Next.
- SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
- Make sure that they all have a check next to them, and then click Next.
- Click Finish and you will be taken back to the main interface.
- It could be possible that it will ask you to reboot your computer in order to delete some files.
- I'll need a log afterwards of what has been found.
- To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
- Please post the results of the SUPERAntiSpyware log file in your next reply.
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
| Quote: |
Driver::
protect
spider
spidernt
msncache
File::
C:\38.tmp
C:\39.tmp
C:\3A.tmp
C:\3B.tmp
C:\3C.tmp
C:\3D.tmp
C:\3E.tmp
C:\3F.tmp
C:\40.tmp
C:\41.tmp
C:\42.tmp
C:\43.tmp
C:\44.tmp
c:\documents and settings\Owner\reader_s.exe
C:\ocqkmoc.exe
c:\windows\system32\2B.tmp
c:\windows\system32\2E.tmp
c:\windows\system32\3.tmp
c:\windows\system32\4.tmp
c:\windows\system32\5.tmp
c:\windows\system32\7.tmp
c:\windows\system32\7.tmp
c:\windows\system32\8.tmp
c:\windows\system32\drivers\protect.sys
c:\windows\system32\DRWEBSP.DLL
c:\windows\System32\reader_s.exe
c:\windows\system32\yezumoyu.exe
Folder::
c:\progra~1\DrWeb\
NetSvc::
msncache
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"reader_s"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"reader_s"=-
Reglock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\EN]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\FR]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\MX]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\NL]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\NW]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\SP]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\SW]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\UK]
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\US]
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\41648584838810032804EB999F69C6FE]
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\B405A2EBBFCE91A4C13BDEA4B89DC260]
|
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not click on combofix's window while it's running. That may cause it to stall. |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
| |
|
|
General